TONY WEBSTER 

tony@tonywebster.com 
( 202 ) 930-9200 


January 23, 2019 
BY KM AT T. 

Rep. John Lesch 

Chair, Judiciary Finance and Civil Law Division 
Minnesota House of Representatives 
563 Rev. Dr. Martin Luther King Jr. Blvd. 

St. Paul, MN 55155 

Sen. Warren Limmer 

Chair, Judiciary and Public Safety Finance and Policy Cmte. 

Minnesota Senate 

3221 Minnesota Senate Bldg. 

St. Paul, MN 55155 

Re: Support for HF 54 and SF 248 - Removal of “nongovernmental purpose” 

language from government security breach statute 

Dear Legislators: 

My name is Tony Webster, a journalist in Minneapolis. 1 frequently use the Data 
Practices Act in my work. While I care deeply about transparency in government, it is also 
paramount that Minnesotans’ privacy rights be balanced with a need to know. Based on my 
experiences with government entities illegally releasing not-public data to me on a routine 
basis, 1 write to express my support for HF 54 and SF 248 . 

Minnesota’s government data breach statute, Minn. Stat. § 13.055. prescribes that 
when someone obtains, accesses, or views government data without the informed consent of 
an individual data subject, or statutory authority, it is an “unauthorized acquisition” and thus a 
“breach of the security of the data” as those terms are defined therein. In such situations, the 
government entity must deliver a written breach notification to the subject of the data, conduct 
an investigation, prepare a report, and in some cases coordinate with consumer credit 
reporting agencies. But, there’s a catch: government entities don’t have to do any of that if 
they determine, in their sole judgment, that the person or company who received the data did 
not have a “nongovernmental purpose” in their acquisition. 

In 2016, the Duluth Police Department misunderstood a Data Practices Act request I 
submitted for information about their use of automated license plate readers, which are 
cameras affixed to squad cars, traffic lights, or buildings. They illegally gave me a spreadsheet 
containing all the data collected by their system—including the license plate numbers, 
geographical coordinates, and timestamps of where every vehicle had been spotted in Duluth 
over a multi-month period of time—^which I hadn’t even asked for. This data can reveal where 
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Minnesotans live, work, worship, or reeeive medical care, and was classified as private under 
law. When I told the City of Duluth that they had done this, they were not aware that the data 
was classified as private. They then proceeded to do it again, sending me the legally-private 
data a second time. As an example, I have enclosed a page of the data 1 was provided. I have 
redacted the license plate number, but the City of Duluth had not done so. 

I reported this to the Data Practices Office (DPO) in the Minnesota Department of 
Administration, formerly kn own as the Information Policy and Analysis Division (IPAD), 
who advised the City of Duluth that they did not have any requirements under the breach 
statute because DPO determined that I did not have a “nongovernmental purpose” in my 
receipt of the data. In other words, because they felt I wasn’t a ‘bad guy,’ Duluth did not need 
to conduct an investigation, prepare a report, or notify the data subjects that their information 
had been illegally released. 

Of course, I did not disclose the data to anyone, but the government entity had no 
assurances that I would not have used it for malicious purposes or stored it such that others 
could access it. I have also enclosed a copy of DPO’s response on the matter. 

Since then, government entities around the state have routinely released private data to 
me, through mistake or neglect, or—more frequently—a lack of knowledge about the law. For 
example, one agency provided me legally-private data on minors, another provided me a list 
of passwords to access law enforcement services, and yet another provided me a police 
officer’s home address. 

Last month, the Eden Prairie Police Department publicly published their response to 
my data request on their website, which originally included a data subject's unredacted Social 
Security Number. I immediately notified the City and Chief of Police of this. About a month 
later, I followed-up to see if they had done an investigation or sent a breach notification to the 
individual who had their Social Security Number published on the City’s public website, and 
was told today that the City Attorney had decided it was not necessary. I know multiple 
individuals had downloaded the file from the City’s public website, and the link has been 
indexed by search engines, so determining the intent (or even identity) of those individuals 
would not have been practicable. 

Based on the current statutory language, government entities believe they do not have 
an obligation to perform an investigation, prepare a report, or inform the data subject of an 
illegal release of not-public data if the government entity unilaterally determines there is no 
intent by the person who received or accessed the data to use that data for a nongovernmental 
purpose. I am aware of no rules or procedures to guide government entities in making this 
determination, nor do I think any such guidelines could be effective. 

Certainly, if my Social Security Number were published online on a government 
website, I would want to know right away so that I could take measures to prevent fraud and 
identity theft. If I were a survivor of domestic assault or stalking, I would want to know 
immediately that someone may have been given information about my daily movements. I 
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would also want government entities to conduet a full investigation, as the Legislature 
mandated in the breach statute. 

HF 54 and SF 248 proposes the following simple change to Minn. Stat. § 13.055, subd. 1: 

“Unauthorized acquisition” means that a person has obtained, 
accessed, or viewed government data without the informed consent 
of the individuals who are the subjects of the data or statutory 
authority and with the intent to use the data for nongovernmental 
purposes .” 

I support this simple and necessary change that makes a breach a breach, regardless of 
whether government feels the person or business receiving it has ill intent. 

I also want to note that there is already a provision in the breach statute at Minn. Stat. 
§ 13.055, subd. 1(a) that provides a “good faith” exception for internal or contractor 
acquisitions of data, if it was done for the purposes of the government entity, which this bill 
does not alter. Separately, this bill does not risk criminalizing receipt of not-public data, 
because Minn. Stat. § 13.09 already requires such acts be knowing and willful. 

I believe government entities will oppose the bill, but I do not think it is appropriate 
for government to make a “nongovernmental purpose” decision, because their incentive is to 
avoid being burdened with having to conduct an investigation, prepare a report, notify data 
subjects, receive negative publicity, or have individuals be made aware of their rights and 
remedies under law. They may also oppose this bill out of concern for liability, but this bill 
does not increase or change government liability. If data is released illegally, a person may 
bring an action for damages regardless of whether they’ve been notified, or whether the 
government entity has conducted an investigation or prepared a report. But under this current 
statutory language, they may never be notified, and may never know their information has 
been released, or that they have rights and remedies under law. 

This bill is an important accountability measure which ensures the effectiveness of the 
Legislature’s mandate and purpose in enacting our government data breach statute. If you are 
an author or supporter of the bill, I extend my sincere appreciation. If you are not, I ask you to 
support it. I respectfully ask for this letter to be included in the record when the bill is heard. 
If you have any questions, please let me know. 

Thank you for your time and consideration. 


Sincerely, 



Enclosure 








(Redactions made by me, NOT the City of Duluth) 



1/23/2016 8:46:11 PM 46.8315 -92.0367 














Tony Webster <tony@tonywebster.com> 
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Follow-up related to ALPR data request 


Christensen, Stacie (ADM) <stacie.christensen@state.mn.us> Thu, Mar 24, 2016 at 11:57 AM 

To: "mtusken@duluthnnn.gov" <mtusken@duluthmn.gov>, "lmarquardt@duluthmn.gov" <lmarquardt@duluthmn.gov> 

Cc: "tony@tonywebster.com" <tony@tonywebster.com>, "Beyer-Kropuenske, Laurie C (ADM)" <laurie.beyer- 
kropuenske@state.mn.us> 


Hello Interim Chief Tusken and Lt. Marquardt, 


Thank you for taking the time to discuss Tony Webster’s data request related to automated license plate reader (ALPR) 
data and his subsequent letter to the Commissioner of Administration. I appreciated having the ability to share clarifying 
information with you regarding the requirements of the Data Practices Act, generally, and ALPR data, specifically. In 
addition, I appreciate your willingness to follow-up with Mr. Webster to further address his request. 


As you are aware, the Commissioner will not order an independent audit in addition to the required biennial audits, at this 
time. Agencies are required to arrange for independent audits after August 1,2017. 


Finally, as I mentioned, your response to Mr. Webster’s data request does not trigger the data breach notification section 
because the element of intent to use the data for nongovernmental purposes is not present. 


Again, I appreciated the opportunity to provide you with further guidance and technical assistance. I look forward to 
answering your future compliance questions and in working with you on future training opportunities. 


Regards, 

Stacie 


Stacie Christensen 

Director 

Information Policy Analysis Division (IPAD) 
Minnesota Department of Administration 
651.201.2500 
www.ipad.state.mn.us 




